Many organizations and enterprises use personal data in the engagement of standard business practices. For example, medical facilities maintain records for patients that include personal data such as name, address, and phone number. Also, these records may contain private or sensitive information about the medical history, diagnoses, and treatments relating to these patients. Additionally, sensitive information may also include a patient's financial account information used for billing practices.
Personal data used and maintained by businesses need to comply with privacy regulations, which typically demand that a process access personal information only if the information is needed for the purpose of performing that process and that the process itself is legitimate. In most any business, however, there are overlapping processes that use personal information, some of which may require use of the personal information and some that may not require personal information. In addition, it is often the case that collections or records of data comprise both personal and non-confidential data. As a result, it becomes burdensome to protect this sensitive information for enterprises and applications that track and control these processes and the type of data that they utilize.
What is needed, therefore, is a way to minimize the amount of personal or sensitive information that can be accessed by a process so that processes are limited to receiving only the sensitive information that they require.